[Freeipa-users] ipa-client-install failure

Dmitri Pal dpal at redhat.com
Fri Mar 20 18:00:17 UTC 2015 

On 03/20/2015 01:55 PM, Roberto Cornacchia wrote:
>
> No, sorry about the confusion, i shouldn't have posted so quickly.
>
> When I use the correct domain (hq.example.com 
> <http://hq.example.com>), then I really get all the same errors as 
> before, also in the new client.
>

Does it really hit the right domain controller? Can it be that there is 
something else on the network that overshadows IPA server?

Can you do everything correctly on the server itself?
kinit, ipa commands? UI?

>
>
> On 20 Mar 2015 18:39, "Dmitri Pal" <dpal at redhat.com 
> <mailto:dpal at redhat.com>> wrote:
>
>     On 03/20/2015 01:25 PM, Roberto Cornacchia wrote:
>>     Oops. Not true, forget last email.
>>
>>     This secon client installation went different just because it
>>     took the wrong domain.
>>     It used *example.com <http://example.com>* (what was previously
>>     set) instead of *hq.example.com <http://hq.example.com>*
>>
>>     Uninstalled, tried again with --hostname=photon.hq.example.com
>>     <http://photon.hq.example.com>
>>     And then it behaves precisely like the previous client.
>>
>>     So something seems wrong in the server.
>>
>>     On 20 March 2015 at 18:18, Roberto Cornacchia
>>     <roberto.cornacchia at gmail.com
>>     <mailto:roberto.cornacchia at gmail.com>> wrote:
>>
>>         Update:
>>         I tried from another client. Also FC21, same network, same
>>         settings from the same DHCP.
>>         But obviously it must have something different because it
>>         partially succeeded.
>>
>>         - I do not get errors about LDAP users.
>>         - I do not get errors about DNS update
>>
>>         However:
>>         - I still get the initial error about NTP
>>         - The host is enrolled, but not added to the DNS zone
>>
>>         Now, I don't care much about the previous client. It was
>>         pretty much empty and can re-install Fedora from scratch.
>>
>>         But I'd like to understand if this is still a problem.
>>         It should be added to the zone, shouldn't it?
>>
>>         $ ipa-client-install --mkhomedir --ssh-trust-dns --force-ntpd
>>         Discovery was successful!
>>         Hostname: photon.example.com <http://photon.example.com>
>>         Realm: HQ.EXAMPLE.COM <http://HQ.EXAMPLE.COM>
>>         DNS Domain: hq.example.com <http://hq.example.com>
>>         IPA Server: ipa.hq.example.com <http://ipa.hq.example.com>
>>         BaseDN: dc=hq,dc=example,dc=com
>>
>>         Continue to configure the system with these values? [no]: yes
>>         Synchronizing time with KDC...
>>         *Unable to sync time with IPA NTP server, assuming the time
>>         is in sync. Please check that 123 UDP port is opened.*
>>         User authorized to enroll computers: admin
>>         Password for admin at HQ.EXAMPLE.COM <mailto:admin at HQ.EXAMPLE.COM>:
>>         Successfully retrieved CA cert
>>           Subject:     CN=Certificate Authority,O=HQ.EXAMPLE.COM
>>         <http://HQ.EXAMPLE.COM>
>>           Issuer:      CN=Certificate Authority,O=HQ.EXAMPLE.COM
>>         <http://HQ.EXAMPLE.COM>
>>           Valid From:  Mon Mar 16 18:44:35 2015 UTC
>>           Valid Until: Fri Mar 16 18:44:35 2035 UTC
>>
>>         Enrolled in IPA realm HQ.EXAMPLE.COM <http://HQ.EXAMPLE.COM>
>>         Created /etc/ipa/default.conf
>>         New SSSD config will be created
>>         Configured sudoers in /etc/nsswitch.conf
>>         Configured /etc/sssd/sssd.conf
>>         Configured /etc/krb5.conf for IPA realm HQ.EXAMPLE.COM
>>         <http://HQ.EXAMPLE.COM>
>>         trying https://ipa.hq.example.com/ipa/json
>>         Forwarding 'ping' to json server
>>         'https://ipa.hq.example.com/ipa/json'
>>         Forwarding 'ca_is_enabled' to json server
>>         'https://ipa.hq.example.com/ipa/json'
>>         Systemwide CA database updated.
>>         Added CA certificates to the default NSS database.
>>         Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
>>         Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
>>         Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
>>         Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
>>         Forwarding 'host_mod' to json server
>>         'https://ipa.hq.example.com/ipa/json'
>>         *Could not update DNS SSHFP records.*
>>         SSSD enabled
>>         Configured /etc/openldap/ldap.conf
>>         NTP enabled
>>         Configured /etc/ssh/ssh_config
>>         Configured /etc/ssh/sshd_config
>>         Configuring hq.example.com <http://hq.example.com> as NIS domain.
>>         Client configuration complete.
>>
>>
>>
>>
>
>     It is different. It does not have the same failure about admin as
>     you had in the first email.
>     So may be it is the permissions issue and a separate NTP issue?
>     Did you play with any permissions on the server side?
>
>
>     -- 
>     Thank you,
>     Dmitri Pal
>
>     Sr. Engineering Manager IdM portfolio
>     Red Hat, Inc.
>
>
>     --
>     Manage your subscription for the Freeipa-users mailing list:
>     https://www.redhat.com/mailman/listinfo/freeipa-users
>     Go to http://freeipa.org for more info on the project
>
>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150320/c7747d5f/attachment.htm>

More information about the Freeipa-users mailing list